Description
|
1 | General HIPAA Compliance Policy |
164.104 164.306 HITECH 13401 |
Covered Entities and Business Associates, as defined in HIPAA and HITECH, must comply with all required parts and subparts of the regulations that apply to each type of Entity. |
2 | Policies & Procedures General Requirement |
164.306; 164.316 164.312(b)(1) 164.530(i) |
Implement reasonable and appropriate P&Ps to comply with all standards, implementation specifications, or other requirements. P&P changes must be appropriately documented. |
3 | Documentation Policy Requirement |
164.530(j)(1)(ii) |
Maintain all P&Ps in written (may be electronic) form. If an action, activity or assessment must be documented, maintain written (may be electronic) records of all. |
4 | Documentation Retention Policy Requirement |
164.316 164.530(j) |
Retain all required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later. |
5 | Documentation Availability Policy Requirement |
164.310 164.316 164.530(j) |
Make documentation available to those persons responsible for implementing the Policies and/or Procedures to which the documentation pertains. |
6 | Documentation Updates Policy Requirement |
164.310 164.316 164.530(j) |
Review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of PHI. |
7 | HHS Investigations Policy | 160.308 164.310 164.312 |
CEs and BAs must implement policies & procedures to assure compliance with HHS investigation & recordkeeping requirements. |
8 | Breach Notification Policy | 164.400 to 164.414 |
Requires CEs and BAs to comply with all Breach Notification requirements: risk analysis; determination of potential harm; notifications. |
9 | Assign Privacy Official Policy | 164.530(a) | CEs and BA must assign an individual for all Privacy-related activities and compliance efforts; and to accept and process complaints. |
10 | State Law Preemption Policy | 160.201 to 160.205 |
CEs and BAs must analyze and assess state law requirements related to data privacy & security; and HIPAA preemption impacts of state laws. |
11 | HIPAA Training Policy | 164.530(b) | CEs and BAs must train all affected workforce members on their Policies & Procedures, as well as the basics of HIPAA, as needed. |
12 | PHI Uses & Disclosures Policy | 164.502 to 164.514 |
CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures are in accord with HIPAA regs. |
13 | Patient Rights Policy | 164.520 to 164.528 |
CEs (and BAs optionally) must implement policies & procedures to assure the lawful provision of Patient Rights as called for in HIPAA regs. |
14 | Complaints Policy | 164.530(d) 164.530(a) |
CEs and BAs must establish methods and procedures to assure the proper handling of, and response to, all complaints received. |
15 | Risk Management Process Policy Required |
164.302 to 164.318 |
Establishes the overall Risk Management process that CEs and BAs must implement to meet Privacy & Security Rule compliance requirements. |
16 | Risk Analysis Required Standard |
164.308(a)(1) | Conduct assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. |
17 | Risk Management Required Standard |
164.308(a)(1) | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a). |
18 | Sanction Policy Required Standard |
164.308(a)(1) | Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. |
19 | Information System Activity Review Required Standard |
164.308(a)(1) | Implement procedures to regularly review information system activity: audit logs; access reports; and security incident reports; etc. |
20 | Assigned Security Responsibility Required Standard |
164.308(a)(2) | Assign security responsibility. Identify Security Official responsible for development and implementation of required P&Ps. |
21 | Authorization & Supervision Policy Addressable Standard |
164.308(a)(3) | Implement procedures for authorization and/or supervision of workers who work with ePHI or in locations where it might be accessed. |
22 | Workforce Clearance Policy Addressable Standard |
164.308(a)(3) | Implement procedures to determine that the access of a workforce member to ePHI is appropriate. |
23 | Termination Policy Addressable Standard |
164.308(a)(3) | Implement procedures for terminating access to ePHI when the employment ends or as required by (a)(3)(ii)(B) of this section. |
24 | Access Authorization Addressable Standard |
164.308(a)(4) | Implement policies and procedures for granting access to ePHI, for workstations, transactions, programs, processes, or other mechanisms. |
25 | Access Establishment and Modification Addressable Standard |
164.308(a)(4) | Implement P&Ps, based on Access Authorization policies, to establish, document, review, and modify user's rights of access to workstations, transactions, programs, or processes. |
26 | Security Reminders Addressable Standard |
164.308(a)(5) | Implement periodic reminders of security and information safety best practices. |
27 | Protection from Malicious Software Addressable Standard |
164.308(a)(5) | Implement Procedures for guarding against, detecting, and reporting malicious software. |
28 | Log-in Monitoring Addressable Standard |
164.308(a)(5) | Implement Procedures for monitoring and reporting log-in attempts and discrepancies. |
29 | Password Management Addressable Standard |
164.308(a)(5) | Implement Procedures for creating, changing, and safeguarding appropriate passwords. |
30 | Security Incident Policy Required Standard |
164.308(a)(6) 164.400 to 164.414 |
Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document security incidents and their outcomes. |
31 | Data Backup Policy Required Standard |
164.308(a)(7) | Establish and implement procedures to create and maintain retrievable, exact copies of ePHI during unexpected negative events. |
32 | Disaster Recovery Policy Required Standard |
164.308(a)(7) | Establish (and implement as needed) procedures to restore any loss of data. |
33 | Emergency Mode Operation Policy Required Standard |
164.308(a)(7) | Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode. |
34 | Testing and Revision Policy Addressable Standard |
164.308(a)(7) | Implement procedures for periodic testing and revision of contingency and emergency plans. |
35 | Applications and Data Criticality Analysis Addressable Standard |
164.308(a)(7) | Assess the relative criticality of specific applications and data in support of other contingency plan components. |
36 | Evaluation Policy Required Standard |
164.308(a)(8) | Perform periodic technical & nontechnical evaluations, to establish how well security P&Ps meet the requirements of this subpart. |
37 | Business Associates Policy Required Standard |
164.308(b)(1) 164.410 164.502(e) 164.504(e) |
CE’s must obtain, and BA’s must provide, written satisfactory assurances that all ePHI and PHI will be appropriately safeguarded. |
38 | Contingency Operations Policy Addressable Standard |
164.310(a)(1-2) | Establish (and implement as needed) procedures that allow facility access to support restoration of lost data in the event of an emergency. |
39 | Facility Security Policy Addressable Standard |
164.310(a)(1-2) | Implement P&P’s to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. |
40 | Access Control and Validation Policy Addressable Standard |
164.310(a)(1-2) | Implement procedures to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision. |
41 | Maintenance Records Addressable Standard |
164.310(a)(1-2) | Implement P&Ps to document repairs and changes to physical elements of a facility related to security (hardware, walls, doors, locks, etc.). |
42 | Workstation Use Required Standard |
164.310(b-c) | Implement P&Ps that specify the proper functions, procedures, and appropriate environments of workstations that access ePHI. |
43 | Workstation Security Required Standard |
164.310(b-c) | Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. |
44 | Media Disposal & Disposition Required Standard |
164.310(d)(1-2) | Implement P&Ps to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. |
45 | Media Re-use Required Standard |
164.310(d)(1-2) | Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. |
46 | Hardware & Media Accountability Addressable Standard |
164.310(d)(1-2) | Maintain records of the movements of hardware and electronic media, and any person responsible therefore. |
47 | Data Backup and Storage Addressable Standard |
164.310(d)(1-2) 164.308(a)(7) |
The Data Backup Plan defines what data is essential for continuity after damage or destruction of data, hardware, or software. Risk Analysis determines what to backup. |
48 | Unique User Identification Required Standard |
164.306 164.312(a)(1-2) |
Assign a unique name and/or number for identifying and tracking user identity. |
49 | Emergency Access Policy Required Standard |
164.104 164.306 164.312(a)(1) |
Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency. |
50 | Automatic Logoff Addressable Standard |
164.306 164.312(a)(1-2) |
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
51 | Encryption and Decryption Addressable Standard |
164.312(a)(1-2) | Implement an appropriate mechanism to encrypt and decrypt ePHI. |
52 | Audit Controls Required Standard |
164.312(b) | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. |
53 | Integrity Controls Policy Addressable Standard |
164.312(c)(1-2) | Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. |
54 | Person or Entity Authentication Required Standard |
164.312(d) | Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. |
55 | Transmission Security Policy Addressable Standard |
164.312(e)(1) | Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. |
56 | Mobile Device Policy Optional Policy |
164.302-164.314 | Governs the use in an entity of mobile devices that can access, use, transmit, or store ePHI. |